[Openstack-security] [Bug 1326474] Re: crypto/utils.py may use too much padding
Abu Shohel Ahmed
1326474 at bugs.launchpad.net
Wed Jun 4 19:09:22 UTC 2014
Padding is required for messages in which msg length is not always
guaranteed to be exact multiple of block_size. For cases, when len(msg)
% block_size == 0 , still have to add the pad with message during
encryption because we have to add the padlen byte. The decryption
logic cannot work without knowing a common format of padding
(distinguish padded or not). This is the desired behaviour.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1326474
Title:
crypto/utils.py may use too much padding
Status in Oslo - a Library of Common OpenStack Code:
New
Bug description:
I've been reviewing some of the crypto code available in OpenStack and
noticed something interesting in the padding of
common/crypto/utils.py.
If the message length is the same as the cipher block size an entire extra block of padding is sent along with the message, I'm not sure if this is desired behaviour (if it is, this bug is invalid) but it certainly doesn't seem quite right.
If the message length is ever the same as the boundary size ( % 256)
then an entirely extra block of padding will be applied:
---code---
r = len(msg) % self.cipher.block_size
padlen = self.cipher.block_size - r - 1
msg += b'\x00' * padlen
msg += bchr(padlen)
---/code---
So if our msg length is 256,512,,, then 'r' will be 0
padlen will be 256-0-1 or 255
msg gets 255 * b'\x00' added and then the number 255 tagged on the end.
To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo/+bug/1326474/+subscriptions
More information about the Openstack-security
mailing list